The common answer to this issue is to create Virtual LAN's (VLAN) to segregate the traffic. If your router supports this feature, it is fairly easy to set up. However, normally you would use the WiFi feature of the router or a dedicated WiFi AP to provide the entry to the unsecured VLAN.
In your case, you need to ensure that all unsecured traffic is encapsulated and sent straight out of the router. You can do this by using the Pi as an internal router. All traffic from the WiFi interface will be routed to the DSL router and, as you've commented, all other internal routes will be blocked.
You can make this a little easier to maintain by using a non-Internet routable address range on the WiFi network outside of the 192.168.x.x range. 10.x.x.x would be suitable.